Securing Our Security

Physical security has been an essential part of nearly every successful venture since our very beginning. Charitable organizations located in downtrodden parts of town are intentional about using popular physical security concepts to create a safe space for those they serve. Small businesses gaining momentum on the backs of revolutionary ways of going to market, need to be diligent about protecting their intellectual property that has empowered them to separate themselves from their competition. And large enterprises, who have amassed countless assets to support their daily endeavors, strive to protect these assets behind layers of physical barriers intended to prevent unauthorized access. Implementing measures designed to protect an organization’s interests is a must, and without this protection, it is reasonable to expect at some point an attack or disaster may take it all away.

Throughout history the way organizations have achieved an appropriate level of security has dramatically evolved. Now, even the smallest entities can realize a level of sophistication that would have commanded big time budgets at the beginning of this century. IP cameras, for example, were tremendously expensive a decade ago. As well, analog video, while more cost effective, had physical limitations that oftentimes made covering remote areas impractically expensive. Thankfully significant advancements in this area are realized seemingly daily, and so today’s security marketplace offers cost effective HD security camera solutions that are reliable, flexible, and highly available. It is important to note, though, that this rapid advancement, and the new implementation methodologies that come with new technologies, oftentimes bring with them new threat landscapes that need to be proactively identified, qualified, and mitigated. The aforementioned example exposed physical security solutions to cyber-threats that were previously less severe.

Cyber-threats are not new, with the first virus being documented in the early 1970’s. However, the physical security industry has only generally embraced core information technology concepts over the past 25 years. Private and proprietary networks, though more limited and less scalable than today’s area networks, were less susceptible to cyber-attacks. Cyber-attacks happen constantly, change rapidly, and can oftentimes be much more disruptive to a business than the average physical attack. Cyber-attacks are malicious attacks against an area network, and today’s “internet of things” (IoT) pursuit commonly puts internet connected security devices such as IP cameras, access controllers, emergency call systems, and alarm panels on an enterprise’s network alongside personal computers. This architecture provides incredible advantages, including centralized management and remote access. Though, by exposing these systems to the internet, the possibility is also opened for malicious outside resources to force their way inside.

As we, physical security practitioners, embrace the latest and greatest technology that our industry has to offer, we need to do so cautiously. We have a responsibility to those we protect to aid them also in securing their security. I’ve prepared a short list of suggestions for “hardening” a security network; these are practical measures that should be considered ahead of any deployment:

1. Use “open” technology that follows industry listings, standards, or guidelines. When vulnerabilities are discovered inside proprietary systems, end users are completely bound by that manufacturer’s capacity to address the vulnerability.
2. Set unique and complex username and password combinations on every piece of equipment connected to the network. Updating devices to no longer use factory default credentials is one of the easiest and most impactful ways to secure any system.
3. Maintain an audit log of all system operations and review it for suspect activity regularly. Also, the principle of least privilege should be exercised for system users.
4. Invest in systems that inherently support intrusion detection, and alert operators based on unauthorized entry or attempts thereof. Furthermore, train operators on the appropriate response when alerts are raised so that the problem is mitigated as quickly as possible.
5. Know where your security systems are manufactured. It’s reasonable to think systems manufactured by entities not friendly to our Country, State, or organizational efforts may not have our best interests in mind, and do not belong on our private networks.

This list is by no mean exhaustive or complete; this is intended to lay a foundation from which additional, practical measures can be taken to ensure vulnerabilities are not introduced when incorporating new or revised security efforts. Like maintaining a relationship with emergency response resources, it is prudent security managers work closely with the organization’s information technology personnel to ensure each team’s efforts are not in conflict with the other.

In summary, rapid technological advancement has empowered us to secure our facilities and protect our assets tighter than ever before. However, it is imperative that we secure our security by diligently pre-qualifying the systems we invest in, and then regularly audit their use once operational – among other things. Doing this allows us to safely and securely protect facilities, information, and people in ways previously not possible.


Jake Kuncaitis, CPP

Original article: